←back to thread

Security issues with electronic invoices

(invoice.secvuln.info)
91 points todsacerdoti | 1 comments | 12 Dec 25 20:28 UTC | HN request time: 0.423s | source
Show context
tnorgaard ◴[12 Dec 25 21:41 UTC] No.46249333[source]
This talk seems set out to prove that "XML is Bad". Yes XML-DSig isn't great with XPaths, but most of these attack vectors has been known for 10 years. There is probably a reason why the vulnerabilities found where in software not commonly used, e.g. SAP. Many of the things possible with XML and UBL simply isn't available in protobuf, json. How would you digitally sign a Json document and embed the signature in the document?

The article nor the talk appear to reference the XML standard that EN 16931 is built upon: Universal Business Language, https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=... - which is freely available. Examples can be found here: https://github.com/Tradeshift/tradeshift-ubl-examples/tree/m... . It is a good standard and yes it's complex, but it is not complicated by accident. I would any day recommend UBL over IDOC, Tradacom, EDIFACT and the likes.

replies(6): >>46250010 #>>46250248 #>>46250356 #>>46250567 #>>46251591 #>>46253809 #
cogman10 ◴[12 Dec 25 23:33 UTC] No.46250356[source]
Other answers are good. One more that you could do is put the JSON document inside a container (A zip archive for example). Then your document can effectively be

    invoice.inv (zip archive)
    └- payload.json
    └- signature.asc
This has the benefit of adding more opportunities for many json documents within the archive.

It's effectively what the Java jar is.

replies(1): >>46250629 #
bsamuels ◴[13 Dec 25 00:13 UTC] No.46250629[source]
dont unzip an untrusted payload
replies(1): >>46250705 #
cogman10 ◴[13 Dec 25 00:24 UTC] No.46250705[source]
Unless you are worried about something like a gzip bomb, I don't see why this is an issue. A lot of formats are effectively just zips. The xlsx, odf, etc for example. It's a pretty common format style.

It helps to have a well defined expected structure in the archive.

replies(1): >>46252027 #
boston_clone ◴[13 Dec 25 04:38 UTC] No.46252027[source]
hello,

https://nvd.nist.gov/vuln/detail/CVE-2025-11001

replies(1): >>46255903 #
cogman10 ◴[13 Dec 25 16:46 UTC] No.46255903[source]
Right, so long as step 1 in reading your file isn't "extract everything" you're pretty safe.

This specific exploit is one that only exists when you are extracting a zip on windows.

replies(1): >>46259457 #
boston_clone ◴[13 Dec 25 23:59 UTC] No.46259457[source]
this is just one instance of a vulnerability associated with unzipping; a curious search would yield more.
replies(1): >>46259686 #
cogman10 ◴[14 Dec 25 00:32 UTC] No.46259686[source]
A curious search reveals that vulnerabilities that do exist are of 2 flavors.

1. Standard C memory vulnerabilities

2. Unsafe file traversal while unzipping

The entire second class is avoided in a fixed file format. The first class of vulnerabilities plague everything. A quick look at libxml2 CVEs shows that.

replies(1): >>46265646 #
1. boston_clone ◴[14 Dec 25 18:51 UTC] No.46265646[source]
and the zip bombs you mentioned! i keep a dummy SD card with one hehe.

but yeah the first class of vulns is why we have advice like don’t run untrusted input, which is not dissimilar to “don’t unzip untrusted payloads”.